You've got a sound security setup, with firewalls, intrusion detection, authentication and authorization -- the gamut. Still, one day you find that valuable data is missing from a corporate server. You have no idea whether it's in the hands of an external hacker or a malicious insider. Now what do you do? . . .
You've got a sound security setup, with firewalls, intrusion detection, authentication and authorization -- the gamut. Still, one day you find that valuable data is missing from a corporate server. You have no idea whether it's in the hands of an external hacker or a malicious insider. Now what do you do?

Finding the culprit may well require the expertise of a network forensics specialist. Network forensics involves finding the extent of a security breach and recovering lost data. Forensics experts also try to determine how the intruder got past your security mechanisms and, potentially, who the person is.

Forensics feeds off data collected by intrusion-detection systems, firewalls, switches, routers, servers and various other devices. Forensics evidence exists in three main places: on the perpetrator's computer, on the "victim" computer and on the network devices in between the two, notes Mark Pollitt, unit chief of the Computer Analysis Response Team for the FBI Laboratory in Washington, D.C. The key to finding the culprit is to be dogged about collecting log data from each device in the chain.

"Logs are the key to everything," agrees John Frazier, chief information security officer at i2 Technologies, a vendor of supply-chain management tools. "When there are no logs, there is no way to evaluate the extent to which you've been compromised."

The link for this article located at ITWorld is no longer available.